libelf: Improve ELF header validation

Avoid integer overflow and reading past EOF. MFC of r276427, r276443, r277249 from contrib/elftoolchain.
2015-01-23 04:07:07 +00:00 · 2015-01-23 04:07:07 +00:00 · 227bb2b2ea
commit 227bb2b2ea
parent 23ccab912a
1 changed files with 5 additions and 2 deletions
--- a/lib/libelf/elf_scn.c
+++ b/lib/libelf/elf_scn.c
@ -31,6 +31,7 @@ __FBSDID("$FreeBSD$");
 #include <errno.h>
 #include <gelf.h>
 #include <libelf.h>
+#include <stdint.h>
 #include <stdlib.h>

 #include "_libelf.h"
@ -55,8 +56,10 @@ _libelf_load_scn(Elf *e, void *ehdr)
 	assert((e->e_flags & LIBELF_F_SHDRS_LOADED) == 0);

 #define	CHECK_EHDR(E,EH)	do {				\
-		if (fsz != (EH)->e_shentsize ||			\
-		    shoff + fsz * shnum > e->e_rawsize) {	\
+		if (shoff > e->e_rawsize ||			\
+		    fsz != (EH)->e_shentsize ||			\
+		    shnum > SIZE_MAX / fsz ||			\
+		    fsz * shnum > e->e_rawsize - shoff) {	\
 			LIBELF_SET_ERROR(HEADER, 0);		\
 			return (0);				\
 		}						\